diff --git a/docs/wallet/issuer_configuration.md b/docs/wallet/issuer_configuration.md index 6a866bd..19c8c44 100644 --- a/docs/wallet/issuer_configuration.md +++ b/docs/wallet/issuer_configuration.md @@ -1,6 +1,6 @@ # Issuer configuration -Updated the 22nd of November 2024. +Updated the 12th of December 2024. The wallets support most of the VC options of the OIDC4VCI standard for issuer configuration. @@ -14,15 +14,16 @@ Specifications of the different Drafts are available here: * [Draft 10/11](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-10.html) supported for EBSI V 3.x * [Draft 12](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-12.html) not supported -* [Draft 13](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-13.html) supported -* [Draft 14](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-14.html) soon supported +* [Implementer Draft 1.0 (Draft 13)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-ID1.html) supported +* [Draft 14](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-14.html) partially supported +* [Implementer Draft 2.0 (Draft 15)](https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html) not supported ## OIDC4VCI flow and features Wallets support: * VC format ldp_vc, jwt_vc, jwt_vc_json, jwt_vc_json-ld, vc+sd-jwt, -* VCDM 1.1, +* [VCDM 1.1](https://www.w3.org/TR/vc-data-model/), * credential offer by value and by reference, * pre authorized code (by default), authorized code flow, push authorization request, PKCE, * [Attestation based client authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/), @@ -35,14 +36,17 @@ Wallets support: * proof types as `jwt` or `ldp_vc`, * proof of possession header with `kid` or `jwk`, * deferred endpoint, +* [DPoP RFC 9449](https://datatracker.ietf.org/doc/html/rfc9449) +* nonce endpoint (Draft 14), * key identifiers as jwk thumbprint of DID, * keys as EdDSA, P-256, seckp256k1, +* [Bitstring Status List V1.0](https://www.w3.org/TR/vc-bitstring-status-list/), +* [IETF Token Status List Draft 6](https://www.ietf.org/archive/id/draft-ietf-oauth-status-list-06.html) Wallets do not support: * notification endpoint, * batch endpoint of Draft 13, -* DPoP for code and token, * encrypted credentials, * VCDM 2.0. @@ -50,7 +54,7 @@ Wallets do not support: ### JSON-LD VC (ldp_vc) -Only did:key DID method is supported. +Only **did:key** DID method is supported. Wallets do not support remonte @context loading. Use embedded definition of json-ld attributes in the `@contex`t array. @@ -508,49 +512,8 @@ The issuer responds with the issuer matadata which looks like this: ], "credential_endpoint": "https://talao.co/issuer/sobosgdtgd/credential", "deferred_credential_endpoint": "https://talao.co/issuer/sobosgdtgd/deferred", - "scopes_supported": [ - "openid" - ], - "response_types_supported": [ - "vp_token", - "id_token" - ], - "response_modes_supported": [ - "query" - ], - "grant_types_supported": [ - "authorization_code", - "urn:ietf:params:oauth:grant-type:pre-authorized_code" - ], - "subject_types_supported": [ - "public", - "pairwise" - ], - "id_token_signing_alg_values_supported": [ - "ES256", - "ES256K", - "EdDSA", - "RS256" - ], - "request_object_signing_alg_values_supported": [ - "ES256", - "ES256K", - "EdDSA", - "RS256" - ], "request_parameter_supported": true, "request_uri_parameter_supported": true, - "token_endpoint_auth_methods_supported": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "none" - ], - "request_authentication_methods_supported": { - "authorization_endpoint": [ - "request_object" - ] - }, "subject_syntax_types_supported": [ "urn:ietf:params:oauth:jwk-thumbprint", "did:key", @@ -570,10 +533,6 @@ The issuer responds with the issuer matadata which looks like this: "id_token_types_supported": [ "subject_signed_id_token" ], - "authorization_endpoint": "https://talao.co/issuer/sobosgdtgd/authorize", - "token_endpoint": "https://talao.co/issuer/sobosgdtgd/token", - "jwks_uri": "https://talao.co/issuer/sobosgdtgd/jwks", - "pushed_authorization_request_endpoint": "https://talao.co/issuer/sobosgdtgd/authorize/par", "credential_configurations_supported": { "InsuranceNaturalPerson": { "scope": "InsuranceNaturalPerson_scope", @@ -649,6 +608,89 @@ The issuer responds with the issuer matadata which looks like this: ``` +Then the wallet calls the authorization server metadata endpoint: + +```https +GET /issuer/sobosgdtgd/.well-known/oauth-authorization-server +Host: talao.co +``` + +The authorization server responds with the matadata which looks like this: + +```json + +{ + "pre-authorized_grant_anonymous_access_supported": true, + "display": [ + { + "name": "Talao issuer", + "locale": "en-US", + "logo": { + "uri": "https://talao.co/static/img/talao.png", + "alt_text": "Talao logo" + } + }, + { + "name": "Talao issuer", + "locale": "fr-FR", + "logo": { + "uri": "https://talao.co/static/img/talao.png", + "alt_text": "Talao logo" + } + } + ], + "scopes_supported": [ + "openid" + ], + "response_types_supported": [ + "vp_token", + "id_token" + ], + "response_modes_supported": [ + "query" + ], + "grant_types_supported": [ + "authorization_code", + "urn:ietf:params:oauth:grant-type:pre-authorized_code" + ], + "subject_types_supported": [ + "public", + "pairwise" + ], + "id_token_signing_alg_values_supported": [ + "ES256", + "ES256K", + "EdDSA", + "RS256" + ], + "request_object_signing_alg_values_supported": [ + "ES256", + "ES256K", + "EdDSA", + "RS256" + ], + "token_endpoint_auth_methods_supported": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "none" + ], + "request_authentication_methods_supported": { + "authorization_endpoint": [ + "request_object" + ] + }, + "id_token_types_supported": [ + "subject_signed_id_token" + ], + "authorization_endpoint": "https://talao.co/issuer/sobosgdtgd/authorize", + "token_endpoint": "https://talao.co/issuer/sobosgdtgd/token", + "jwks_uri": "https://talao.co/issuer/sobosgdtgd/jwks", + "pushed_authorization_request_endpoint": "https://talao.co/issuer/sobosgdtgd/authorize/par" +} + +``` + Then wallet calls the token endpoint with the pre authorized code and a client_id (optional): ```https diff --git a/docs/wallet/oidc4vc_settings.md b/docs/wallet/oidc4vc_settings.md index 4f5fd73..d38749e 100644 --- a/docs/wallet/oidc4vc_settings.md +++ b/docs/wallet/oidc4vc_settings.md @@ -1,13 +1,14 @@ -# OIDC4VC Parameters +# OIDC4VC parameters -Updated the 14th of October 2024. +Updated the 12th of December 2024. To access the OIDC4VCI parameters: -1. Choose profile "Custom", -2. Select Settings/Self Sovereign Identity/OIDC4VCI settings +1. Go to "Settings" +2. Choose profile "Custom", +3. Select the options you want to setup -This section allows an advanced user to specify manually the SSI profile of his wallet. +This section allows an advanced user to specify manually the ecosystem technical options of his wallet. More parameters are available through the Wallet Provider Backend. This feature can be hidden in case of a specific wallet configuration defined with the Wallet Provider Backend. @@ -34,6 +35,7 @@ it can be any one of the DID methods of the list ([did:key](https://w3c-ccg.gith ### OIDC4VCI The OIDC4VCI draft release. For EBSI V3.x must be Draft 11. +Draft 14 is partially supported : nonce endpoint is supported for build 2.18.8 and above. In this case the wallet will call the nonce endpoint to get a nonce for the proof of key ownership and will not use the nonce provided by the token endpoint if any. ### Cryptographic Holder Binding @@ -55,9 +57,9 @@ Select one authentication method among the following ones: * **none:** No authentication required, * **client_secret_basic:** Sends ID and secret in the HTTP header, * **client_secret_post:** Sends ID and secret in the request body, -* **client_id:** Identifies the client with a unique ID, +* **client_id:** Identifies the client with a unique ID. -Learn more about authentication method [here](https://www.rfc-editor.org/rfc/rfc6749#section-2.3). +Learn more about authentication method [here](https://www.rfc-editor.org/rfc/rfc6749#section-2.3). These client authentication methods allow pre-registered wallet. Choose "none" otherwise. ### Wallet Client_id scheme @@ -65,7 +67,7 @@ The client type affects how the wallet authenticates and interacts with the auth * **DID:** Decentralized Identifier, typically used for secure, decentralized identity interactions, * **P-256 JWK Thumbprint** Used when the subject is identified via a jwk thumbprint, -* **confidential Client:** For confidential clients that require secure and private interaction with the authorization server. +* **Pre-registered client:** Used for secure or private interaction with the authorization server. ### VC Format @@ -109,3 +111,7 @@ Learn more about PAR [here](https://datatracker.ietf.org/doc/html/rfc9126). ### StatusList caching The Status List cache duration controls how long the wallet stores status lists used to verify credentials (e.g., revoked or valid). Adjusting this duration can balance performance with up-to-date information. + +### Demonstrating Proof of Possession (DPoP) + +This is the IETF RFC 9449 : which "... describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. diff --git a/docs/wallet/verifier-configuration.md b/docs/wallet/verifier-configuration.md index ba5e005..2822444 100644 --- a/docs/wallet/verifier-configuration.md +++ b/docs/wallet/verifier-configuration.md @@ -4,18 +4,25 @@ Updated the 18th of November 2024. ## OIDC4VP Specifications Drafts -Wallets support both OIDC4VP and SIOPV2 specifications. +Wallets support OIDC4VP specifications. -* [OIDC4VP Draft 18](https://openid.net/specs/openid-4-verifiable-presentations-1_0-18.html) supported -* [OIDC4VP Draft 20](https://openid.net/specs/openid-4-verifiable-presentations-1_0-20.html) supported -* [OIDC4VP Draft 22](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) coming soon -* [SIOPV2 Draft 13](https://openid.net/specs/openid-connect-self-issued-v2-1_0.html) supported +* [Implementer Draft 1 (Draft 8)](https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0-ID1.html) supported +* [implementer Draft 2 (Draft 18)](https://openid.net/specs/openid-4-verifiable-presentations-1_0-ID2.html) supported +* [Draft 20](https://openid.net/specs/openid-4-verifiable-presentations-1_0-20.html) supported +* [Draft 21](https://openid.net/specs/openid-4-verifiable-presentations-1_0-21.html) partial support +* [Implementer Draft 3 (Draft 22)](https://openid.net/specs/openid-4-verifiable-presentations-1_0-22.html) partial support +* [Draft 23](https://openid.net/specs/openid-4-verifiable-presentations-1_0-23.html) not supported + +Wallets support SIOPV2 specifications. + +* [Implementer Draft 1 (Draft 7)](https://openid.net/specs/openid-connect-self-issued-v2-1_0-ID1.html) supported +* [Draft 13](https://openid.net/specs/openid-connect-self-issued-v2-1_0.html) supported ## OIDC4VP and SIOPV2 features Wallets support: -* client_id_scheme, +* client_id_scheme as an attribute or as a prefix of client_id (draft 22), * request in value and request_uri, * presentation_definition and presentation_definition_uri, * direct_post and direct_post.jwt, @@ -25,6 +32,8 @@ Wallets support: Wallets do not support: +* the Digital Credential Query Language (DCQL) +* transaction data * request uri Method Post, * encrypted response, * openid federation 1.0. diff --git a/docs/wallet/wallet-profiles.md b/docs/wallet/wallet-profiles.md index 5d44725..8386005 100644 --- a/docs/wallet/wallet-profiles.md +++ b/docs/wallet/wallet-profiles.md @@ -1,6 +1,6 @@ # Wallet profiles -Updated the 18th of November 2024. +Updated the 12th of December 2024. Users can access to wallet profiles through Settings/Wallet Profiles. This feature feature can be hidden in case of a specific wallet configuration through the Wallet Provider Backend. @@ -14,23 +14,24 @@ As any smartphone app users can download either Altme or Talao wallet for their | Profiles | VC format | OIDC4VCI | OIDC4VP | key | DID | Embedded issuer links | | :---------- | ------------------------------------------------ | ---------- | --------- | ----------------------- | -------------------------------- | ------------------------------------------------------------------------ | | Default | ldp_vc, jwt_vc_json, jwt_vc_json-ld, vc+sd-jwt | 13 | 20 | EdDSA | did:key | VerifiableId (ldp_vc), EmailPass (ldp_vc), PhoneProof, Over18 (ldp_vc) | -| EBSI V3.x | jwt_vc | 11 | 18 | P-256 | did:key(EBSI) | IndividualVerifiableAttestation(jwt_vc) | +| EBSI V3.x | jwt_vc | 11 | 18 | P-256 | did:key(EBSI) | IndividualVerifiableAttestation(jwt_vc) | | EBSI V4.0 | ldp_vc, jwt_vc_json, jwt_vc_json-ld, vc+sd-jwt | 13 | 20 | P-256 | did:key(EBSI) | VerifiableId (jwt_vc_json) | -| DIIP V3.0 | ldp_vc, jwt_vc_json, jwt_vc_json-ld, vc+sd-jwt | 13 | 20 | P-256 | did:jwk | Personal ID (vc+sd-jwt), Emailpass (vc+sd-jwt), Over18 (vc+sd-jwt) | +| DIIP V3.0 | jwt_vc_json, jwt_vc_json-ld, vc+sd-jwt | 13 | 20 | P-256 | did:jwk | Personal ID (vc+sd-jwt), Emailpass (vc+sd-jwt), Over18 (vc+sd-jwt) | | Custom | Any | 11/13 | 20 | EdDSA/P-256/seckp256k | did:key/did:jwk/JWK thumbprint | None | -All VC formats = JWT-VC (jwt_vc, jwt_vc_json, jwt_vc_json-ld), JSON-LD (ldp_vc), SD-JWT VC (vc+sd-jwt). - Advanced users can switch between the different profiles and even create their own custom profile. The wallets propose a lots of technical options for advanced users and developers. +At initialization the wallet profile is DIIP V3.0. + ## Custom profile To define a custom profile of the wallet: -1. Choose profile "Custom", -2. Select Settings/Self Sovereign Identity/OIDC4VCI settings +1. Go to "Settings", +2. Choose profile "Custom", +3. Select the options you want to use. -This section allows an advanced user to specify manually the SSI profile of his wallet. Custom profile can only support one VC format at a time. +This section allows an advanced user to specify manually the ecosystem technical options of his wallet. Custom profile can only support one VC format at a time. ## Wallet setup with the wallet provider backend diff --git a/docusaurus.config.ts b/docusaurus.config.ts index 6fc73ac..cc7a270 100644 --- a/docusaurus.config.ts +++ b/docusaurus.config.ts @@ -60,7 +60,7 @@ const config: Config = { type: 'docSidebar', sidebarId: 'documentationSidebar', position: 'left', - label: 'Documentation v0.1.3', + label: 'Documentation v0.1.4', }, { href: 'https://github.com/TalaoDAO',